Selective Enabling of Applications Using an HTTP or HTTPS Server

Last Updated: October 12, 2011

The Selective Enabling of Applications Using an HTTP or HTTPS Server feature eliminates a potential security vulnerability by providing a facility to enable selected HTTP and HTTP over Secure Socket Layer (HTTPS) services on both the Cisco IOS HTTP and HTTPS server infrastructure. This feature also provides the capability to view the current state of the HTTP and HTTPS services, including which services are enabled or disabled.

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the Feature Information Table at the end of this document.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.

Information About Selective Enabling of Applications Using an HTTP or HTTPS Server

Selective Enabling of Applications Within the HTTP and HTTPS Infrastructure

The Selective Enabling of Applications Using an HTTP or HTTPS Server feature eliminates a potential security vulnerability by providing a facility to enable selected HTTP and HTTPS services on both the Cisco IOS HTTP and HTTPS server infrastructure. This feature also provides the capability to view the current state of the HTTP and HTTPS services, including which services are enabled or disabled.

Prior to this feature, HTTP or HTTPS applications running on a router or a switch, were either all enabled or all disabled when the HTTP server or HTTPS server was enabled or disabled, respectively (using the ip http server and ip http secure-server commands). In the situation where all HTTP or HTTPS applications were enabled, remote end-users were given potential access to services that could allow them to pose a potential security threat to service providers.

With this new feature, the Cisco IOS HTTP and HTTPS infrastructure provides a way to enable only selected HTTP and HTTPS applications to run on a router or a switch, thereby bypassing a potential security vulnerability. Selected HTTP and HTTPS applications can be enabled using the new ip http active-session-modules and ip http secure-active-session-modules configuration commands, respectively.


Note
The maximum number of sessions that can be registered with the Cisco IOS HTTP or HTTPS server is 32.

How to Enable Selected Applications Using an HTTP or HTTPS Server

Enabling Selected HTTP Applications

Perform this task to selectively enable the HTTP applications that will service incoming HTTP requests from remote clients.

SUMMARY STEPS

1.    enable

2.    configure terminal

3.    ip http session-module-list listname prefix1 [prefix2,...,prefixn]

4.    ip http active-session-modules {listname | none | all}

5.    end

6.    show ip http server session-module


DETAILED STEPS
  Command or Action Purpose
Step 1
enable


Example:

Router> enable

 

Enables privileged EXEC mode.

  • Enter your password if prompted.
 
Step 2
configure terminal


Example:

Router# configure terminal

 

Enters global configuration mode.

 
Step 3
ip http session-module-list listname prefix1 [prefix2,...,prefixn]


Example:

Router(config)# ip http session-module-list list1 SCEP,HOME_PAGE

 

Defines a list of HTTP or HTTPS application names.

 
Step 4
ip http active-session-modules {listname | none | all}


Example:

Router(config)# ip http active-session-modules list1

 

Selectively enables HTTP applications that will service incoming HTTP requests from remote clients.

  • The listnameargument enables only those HTTP services configured in the list identified by the ip http session-module-list command to serve HTTP requests.
  • The keyword none disables all HTTP services from serving HTTP requests.
  • The keyword all enables all HTTP services to serve HTTP requests.
 
Step 5
end


Example:

Router(config)# end

 

Ends your configuration session and returns the CLI to Privileged Exec mode.

 
Step 6
show ip http server session-module


Example:

Router# show ip http server session-module

 

(Optional) Displays information about all HTTP and HTTPS services available on the router or switch, including their current state of service, such as whether they are enabled or disabled.

 

Enabling Selected HTTPS Applications

Perform this task to selectively enable the HTTPS applications that will service incoming HTTPS requests from remote clients.

SUMMARY STEPS

1.    enable

2.    configure terminal

3.    ip http session-module-list listname prefix1 [prefix2,...,prefixn]

4.    ip http secure-active-session-modules {listname | none| all}

5.    end

6.    show ip http server session-module


DETAILED STEPS
  Command or Action Purpose
Step 1
enable


Example:

Router> enable

 

Enables privileged EXEC mode.

  • Enter your password if prompted.
 
Step 2
configure terminal


Example:

Router# configure terminal

 

Enters global configuration mode.

 
Step 3
ip http session-module-list listname prefix1 [prefix2,...,prefixn]


Example:

Router(config)# ip http session-module-list list1 SCEP,HOME_PAGE

 

Defines a list of HTTP or HTTPS application names.

 
Step 4
ip http secure-active-session-modules {listname | none| all}


Example:

Router(config)# ip http secure-active-session-modules list1

 

Selectively enables HTTPS applications that will service incoming HTTPS requests from remote clients.

  • The listnameargumentenables only those HTTPS services configured in the list identified by the ip http session-module-list command to serve HTTPS requests.
  • The keyword none disables all HTTPS services from serving HTTPS requests.
  • The keyword all enables all HTTPS services to serve HTTPS requests.
 
Step 5
end


Example:

Router(config)# end

 

Ends your configuration session and returns the CLI to Privileged Exec mode.

 
Step 6
show ip http server session-module


Example:

Router# show ip http server session-module

 

(Optional) Displays information about all HTTP and HTTPS services available on the router or switch, including their current state of service, such as whether they are enabled or disabled.

 
What to Do Next

Configuration Examples for Selective Enabling of Applications Using an HTTP or HTTPS Server

Enabling Selected HTTP and HTTPS Applications Example

The following configuration sample shows a configuration with different set of services available for HTTP and HTTPS requests. In this example, all HTTP applications are enabled for providing services to remote clients, but for HTTPS services, only the HTTPS applications defined in list1 (Simple Certificate Enrollment Protocol [SCEP] and HOME_PAGE) are enabled.

ip http session-module-list list1 SCEP,HOME_PAGE
ip http active-session-modules all
ip http server
ip http secure-server
ip http secure-active-session-modules list1

Additional References

The following sections provide references related to the Selective Enabling of Applications Using an HTTP or HTTPS Server feature.

Related Documents

Related Topic

Document Title

Additional HTTP configuration information

Using the Cisco Web Browser User Interface feature module

Additional HTTPS configuration information

HTTPS - HTTP Server and Client with SSL 3.0 feature module

Additional HTTP and HTTPS commands

Cisco IOS Network Management Command Reference

Standards

Standards

Title

No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature.

--

MIBs

MIBs

MIBs Link

None

To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:

http://www.cisco.com/go/mibs

RFCs

RFCs

Title

No new or modified RFCs are supported by this feature, and support for existing RFCs has not been modified by this feature.

--

Technical Assistance

Description

Link

The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies.

To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds.

Access to most tools on the Cisco Support website requires a Cisco.com user ID and password.

http://www.cisco.com/public/support/tac/home.shtml

Feature Information for Selective Enabling of Applications Using an HTTP or HTTPS Server

The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.

Table 1 Feature Information for Selective Enabling of Applications Using an HTTP or HTTPS Server

Feature Name

Releases

Feature Information

Selective Enabling of Applications Using an HTTP or HTTPS Server

12.3(14)T

The Selective Enabling of Applications Using an HTTP or HTTPS Server feature eliminates a potential security vulnerability by providing a facility to enable selected HTTP and HTTP over Secure Socket Layer (HTTPS) services on both the Cisco IOS HTTP and HTTPS server infrastructure. This feature also provides the capability to view the current state of the HTTP and HTTPS services, including which services are enabled or disabled.

Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1005R)

Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.

© 2011 Cisco Systems, Inc. All rights reserved.

© 2011 Cisco Systems, Inc. All rights reserved.